thanks for this, AVG always says "whoa hold on there might be bad stuffs and the boogeyman in there, let me think you're under virus attack for the next 30 seconds" while I grind my teeth and shake my fist at the mainstream corporate elites who would only serve Gates-friendly DARPA software to the vaccinated masses.

More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.

Sam_, I've experienced the same things, and chose to now compile without MPRESS too.

More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.

Part of the reason why MPRESS creates issues with Anti-Virus vendors is that many don't have an unpacker for it. Where with UPX, the software of the Anti-Virus companies can usually unpack and inspect the contents. And use of any "exotic" or unknown packer is more likely to trigger Anti-Virus software. You might want to see if UPX won't cause you issues, or consider not using a packer.

I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.

On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.

Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?

Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.

Edit 2 : With further testing, I have discovered that using Ansi 32 bit conversion and Impress compression seems to get around Sophos, however VirusTotal still finds 8 problems with it.

Last edited by Grumpy IT Guy on 03 Apr 2019, 06:13, edited 1 time in total.

I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.

On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.

Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?

Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.

My work computer flags compiled ahk scripts as a few different types of malware because of my Windows Defender AV. It also won't let me download certain installers which I'm certain are safe. Some AVs will flag more or less threats. As always, do your due dilligence ensure there is no other malicious activity in your system. If you got it directly from this site, then it will be a safe false-positive.

It's important to submit as many false positive claims about this issue as possible across as many AV companies, so it shows that AHK has a safe community. Due to the nature of AHK being able to efficiently automate complex systems mixed with some bad people using AHK for nerfarious purposes, it has gained some bad reputation within the online space that we hope to change.

I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)

I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.

I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)

I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.

Some good points.

And we have to stay on these Anti-Virus companies, because arguably a lot of this drama is about laziness. High level programmers working at these Anti-Virus companies should have a much easier time analyzing an open source interpreted scripting language, in comparison to traditionally compiled languages or closed source, to determine if there is really a threat. There are a number of ways for them to see the script, even when "bound" to the open source executable. Just no excuse for the silliness that is taking place or out of control heuristic scanners labeling anything as a threat.

What are you talking about? McAfee has a false-positive procedure, where you inform them by e-mail, and they are included.

"Rachel" and "Maria" are both accounts that have connections to the same company (you can find it in their account details, see under "Website"). Other accounts with the same affiliation also made strange posts before and - from time to time - dropped a link or two (and some have been banned, iirc). They don't seem to be bots, but I strongly suspect that they mainly contribute something in order to advertize casually later and not because they have any real interest in the subject.

@mariafox and @RachelKieran, do you mind to elaborate on your strange posts here or are you ok with permanently closing your accounts?